Root password management tools

[Tim Bell]

Are there any suggestions for tools to manage root and BMC/IPMI admin passwords for 1000s of servers ?

We'd like to find an open source tool with a reasonable community.

Typically, we use kerberos to authenticate but under some circumstances such as filesystem checks or power control operations, we need to have the passwords.

Tim Bell

CERN

[Adam Jacob]

Does Chef/Puppet/Cfengine not meet your needs here?

Adam

--
You received this message because you are subscribed to the Google Groups "devops-toolchain" group.
To unsubscribe from this group and stop receiving emails from it, send an email to devops-toolcha...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Matt]

I couldn't find any mature libraries when looking for IPMI management,
in the end I went down the road of config management (Puppet) and
shelling out to the Open-IPMI tool suite.

Matt

[Tim Bell]

As regards using puppet, my problem is not changing the password but more how to:

- I want to change it frequently (staff departure, ...)

- I want to give access to the root password for administrators of their machines only, not all machines in the centre. This would correspond to Foreman/Puppet hostgroup admins.

- I want to support web apps such as remote power control or console access to use the secure passwords for automated actions

Tin

[Brad Knowles]

On Feb 26, 2013, at 3:19 PM, Tim Bell <nogg...@gmail.com> wrote:

> As regards using puppet, my problem is not changing the password but more how to:
>
> - I want to change it frequently (staff departure, ...)

We did that with Chef at a previous job. I'm sure that you can do the same with Puppet.

> - I want to give access to the root password for administrators of their machines only, not all machines in the centre. This would correspond to Foreman/Puppet hostgroup admins.

Hosted and Private Chef give you role-based features that I think should be able to be used like this. Don't know what Puppet can offer in this space, but I'd be surprised if they couldn't offer some sort of solution.

> - I want to support web apps such as remote power control or console access to use the secure passwords for automated actions

That seems to me to be something better suited to solve through tools like sudo.

--
Brad Knowles <br...@shub-internet.org>
LinkedIn Profile: <http://tinyurl.com/y8kpxu>

[Tim Bell]

Puppet can do the change... my problem is more how to get the password in clear text where IPMI or fsck need it. 

i.e.

- I'm the administrator for box X

- Normally, I would ssh in to root@boxx

- When it does noti work, I want to open an IPMI console session (need an admin password) to the console and login in as root (need root password) to determine the root cause.

Tim

On Tuesday, February 26, 2013 9:03:28 AM UTC+1, Tim Bell wrote:

[Carl Caum]

If you want to prevent your IPMI passwords to be in clear text, you can use this method to GPG encrypt your hiera data: http://www.craigdunn.org/2011/10/secret-variables-in-puppet-with-hiera-and-gpg/

To prevent leaking the password to the process table, if you're using an exec you can set the environment parameter to have the value retrieved by hiera. Then you can use the environment variable in your exec command. Something to this affect:

$ipmi_pass = hiera('ipmi_pass')

exec { 'IMPI password':
command => 'setipmi root:$IPMI_PASS',
environment => ["IPMI_PASS=${ipmi_pass}"],
}


--
Carl Caum

> --
> You received this message because you are subscribed to the Google Groups "devops-toolchain" group.

> To unsubscribe from this group and stop receiving emails from it, send an email to devops-toolcha...@googlegroups.com (mailto:devops-toolcha...@googlegroups.com).

[Brian Pitts]

It's somewhat clunky, but we use Passpack for this.

http://www.passpack.com/en/encrypted-shared-passwords/

All the best,
Brian

[Domenick Petrella]

Tim,

BLUF: I haven't seen a tool that manages passwords in the way you need, but am curious about your requirements.

I am working on the mechanics of maintaining bmc/ipmi passwords, and had started thinking about the same kinds of issues.  To summarize your requirements:

- 1000s of machines, both physical and virtual

- Many users, who will need root/ipmi to random collections of those machines

Extrapolating a bit, your requirements may also include:

- Allowing local root/ipmi password authentication to one machine cannot allow the same to another machine

- Local root/ipmi password is only valid for a fixed (and probably short) period of time

- Exposure to a password must be audited

Is this accurate?  This is where we would like to get to, although root passwords are in puppet at the moment.  However, we will need to satisfy the above requirements if we want to _know_ who has root.

Since we will be managing pre-boot attributes outside of the os configuration management, including ipmi passwords, it seems like a good place for us to manage root passwords for the os, too, since the granularity and auditing will already exist there.

-Domenick

[Tim Bell]

We're looking for a tool which would cover

- A process should on a regular basis change passwords. These currently cover root and ipmi (but others may exist in future)

- In the event of the machine being down, this procedure should not take place (since this would imply that the recorded password and actual password were inconsistent)

- The current values of the 'secret' should be available to a specific set of administrators via a web or CLI interface

Given that puppet has a certificate framework, the machine initiated operations can be done through the puppet certificate.

The user related actions are associated with the users who have super-user permissions (such as changing the configuration). Not sure if there is a generic way to identify the users who are super-user profile (such as able to ssh as root)

Tim

[Nathaniel Eliot]

So we've encountered similar needs at Infochimps. We haven't yet
landed on a solution, but some options I've been considering:

http://www.teampass.net/
http://www.passpack.com/
http://www.gazzang.com/products/ztrustee
https://github.com/clipperz/password-manager

The rotation would probably still need to be custom code.

Cheers,

--
Nathaniel Eliot
T9 Productions

> --
> You received this message because you are subscribed to the Google Groups
> "devops-toolchain" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to devops-toolcha...@googlegroups.com.

[Ajey Gore]

Password management has always been daunting, we never do root passwords management, instead user management using AD or NIS - and then allow users login to Linux using AD or NIS as PAM plugin.

that way you can control user access on hosts basis (one role per host or hosts per role) 

makes sense?

--
Thanks

Ajey

[Adam Jacob]

There is such a business opportunity here; end to end identity management is far from a solved problem.

[Scott McCarty]

FreeIPA is a fairly extensive identity management solution. It can manage hosts, groups, users, passwords, ssh keys, sudo rules, all from a central (HA Capable) server. It uses (and configures) Kerberos, DNS, and 389 (LDAP) server. It makes configuring all of this VERY easy.

http://freeipa.org/page/Main_Page
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html

Best Regards
Scott M

--
Thanks





Ajey




--
You received this message because you are subscribed to the Google Groups "devops-toolchain" group.
To unsubscribe from this group and stop receiving emails from it, send an email to devops-toolcha...@googlegroups.com .